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A USER IDENTIFICATION MODULE 
FOR ACCESS TO MULTIPLE COMMUNICATION NETWORKS 

FIELD OF THE INVENTION 

[0001] The present invention relates to a user identification module for access to 
multiple communication networks and in particular but not exclusively to a user 
identification module for third generation telecommunication systems. 

BACKGROUND OF THE INVENTION 

[0002] A communication system is a facility that enables communication 
between two or more entities such as user terminal equipment and/or network 
entities and other nodes associated with a communication system. The 
communication may comprise, for example, communication of voice, electronic 
4 mail (email), text messages, data, multimedia and so on. 

[0003] The communication may be provided by a fixed line and/or wireless 
communication interfaces. A feature of wireless communication systems is that 
they provide mobility for the users thereof. An example of a communication 
system providing wireless communication is a public land mobile network (PLMN) 
and another example is a wireless local area network (WLAN). An example of the 
fixed line system is a public switched telephone network (PSTN). 

[0004] A cellular telecommunications system is a communication system that is 
based on use of radio access entities and/or wireless service areas. The access 
entities are typically referred to as cells. Examples of cellular telecommunications 
systems include standards such as the GSM (Global System for Mobile 
Communications), GPRS: (General Packet Radio Service), AMPS (American 
Mobile Phone System), DAMPS (Digital AMPS), WCDMA (Wideband Code 
Division Multiple Access), UMTS (Universal Mobile Telecommunications System), 
and CDMA 2000 (Code Division Multiple Access 2000) 
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[0005] A communication system typically operates in accordance with a given 
standard or specification which sets out what the various elements of a system 
are permitted to do and how that should be achieved. For example, the standard 
or specification may define if the user, or more precisely user equipment, is 
provided with a circuit switched service or a packet switched service or both. 
Communication protocols and/or parameters which should be used for the 
connection are also typically defined. For example, the manner in which 
communication shall be implemented between the user equipment and the 
elements of the communication networks is typically based on a predefined 
communication protocol. In other words, a specific set of "rules" on which the 
communication can be based needs to be defined to enable the user equipment to 
communicate via the communication system. 

[0006] The term "service" used above and hereinafter will be understood to 
broadly cover any service which a user may desire, require or be provided with. 
The term also will be understood to cover the provision of complimentary services. 
In particular, but not exclusively, the term "service" will be understood to include 
Internet protocol multimedia IM services, conferencing, telephony, gaming, rich 
call, presence, e-commerce and messaging e.g. instant messaging. 

[0007] The introduction of Third Generation (3G) communication systems has 
significantly increased the possibilities for accessing services on the Internet via 
mobile user equipment (UE) as well as other types of UE. 

[0008] Various user equipment (UE) such as computers (fixed or portable), 
mobile telephones, personal data assistants or organisers and so on are known to 
the skilled person and can be used to access the Internet to obtain services. 
Mobile user equipment is often referred to as a mobile station (MS) and can be 
defined as a means that is capable of communication via a wireless interface with 
another device such as a base station of a mobile telecommunication network or 
any other station. In order to allow a user to operate a range of user equipment 
terminals, yet retain the same identity user equipment typically can be considered 
to comprise two elements; the Mobile Equipment terminal (ME) and the 
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Subscriber Identity Module (SIM). An example of the SIM is the UTMS Subscriber 
Identity Module (USIM). The identity module is a smartcard that holds the 
subscriber identity and performs authentication steps needed by the ME. The 
physical separation of the smartcard functionality and the mobile equipment 
terminal not only allows the user to transfer their identity from terminal to terminal 
but also improves security. As the security algorithms and encryption keys 
associated for that user can also be stored on the smart card and isolated from 
the terminal the terminal carries no data related to the user. 

[0009] The 3G Partnership Project (3GPP) defines a reference architecture for a 
core network which provides the users of user equipment UE with access to the 
services provided via the communication system. This 3G core network is divided 
into three principal domains. These are the Circuit Switched (CS) domain, the 
Packet Switched (PS) domain and the Internet Protocol Multimedia (IM) domain. 

[0010] The latter of these, the IM domain, makes sure that multimedia services 
are adequately managed. The IM domain supports the Session Initiation Protocol 
(SIP) as developed by the Internet Engineering Task Force (IETF). 

[0011] SIP is an application layer signalling protocol for starting, changing and 
ending user sessions as well as for sending and receiving transactions. A session 
may, for example, be a two-way telephone call or multi-way conference session or 
connection between a user and an application server (AS). The establishment of 
these sessions enables a user to be provided with the above-mentioned services. 
One of the basic features of SIP is that the protocol enables personal mobility of a 
user using mobile UE by providing the capability to reach a called party (which 
can be an application server AS) or another user equipment via a single location 
independent address. 

[0012] A user connected to a SIP based communication system may 
communicate with various entities of the communication system based on 
standardised SIP messages. SIP is defined in an Internet Engineering Task 
Force (IETF) protocol specification by G Rosenberg et al titled. "SIP: session 
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initiation protocol" RFC 3261, July 2001. This document is incorporated by 
reference. 

[0013] One version of the third generation standard is "Release 5" or "rel5". This 
introduces the IP multimedia core network subsystem (IMS) that has been 
developed to use SIP technology as a basis for all IP services such as voice over 
IP, amongst others. The SIP standard is a rendezvous protocol which can be 
used to establish media sessions between a SIP user agent client (UAC) and a 
SIP user agent server (UAS). To open a session, SIP uses the SDP (session 
description protocol) protocol and it is thus possible to establish a variety of 
sessions depending on the used application both for real time services and non 
real time services. SIP is a flexible protocol that can be used to establish different 
types of sessions. For example, some sessions may require a certain 
precondition to be satisfied. Other sessions may require reliable provisional 
responses. Other sessions may require confirmation of reserved resources. It is 
also possible to have a variable number of SDP offer/answer exchanges. 

[0014] The present invention relates, in particular, to modifications to the 
Removable User Identification Module (R-UIM) used in some 3G access 
networks. The R-IUM is similar to the Subscriber Identification Module (SIM) 
inserted, for example, in a Global System for Mobile telecommunications (GSM) 
user equipment. At present, mobile devices using CDMA technology can use the 
R-UIM to enable connectivity and security, for example, within a cdma2000 
access network. 

[0015] Currently, the R-UIM, and the limitations imposed by using R-UIM, is an 
issue for the IP Multimedia Subsystem (IMS) harmonisation between the Third 
Generation Project Partnership (3GPP) and the Third Generation Project 
Partnership 2 (3GPP2). One of the major limitations of using the R-UIM is that it is 
not capable of enabling several applications. The R-UIM is further incapable of 
enabling several applications to be run in parallel. Network applications could be 
for example a CDMA2000 access network application and an IMS core network 
application. Furthermore, the R-UIM does not provide the means for 
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distinguishing between different access networks for multi-access mobile devices, 
e.g. cdma2000 and WLAN access networks. 

[0016] It is further not possible to implement the separation of access level and 
IMS level authentication and security mechanisms in a R-UIM/SIM structure as 
multiple applications are needed to handle the separation. 

[0017] There is provided according to the present invention a user identification 
module for user equipment for use in an access network said module being 
arranged to enable a plurality of access network applications to run. 

[0018] The plurality of access network applications may be run in parallel. 

[0019] The module may be arranged to enable at least one core network 
application to run, and wherein said module may be arranged to enable said core 
network application to run in parallel with at least one of said plurality of access 
network applications. 

[0020] The user identification module may be arranged to generate 
authentication data for said core network and said access network, wherein said 
authentication data for said core network and for said access network may be 
further arranged to be dependent on a common data set. 

[0021] The common data set possibly comprises data for use in encryption. 

[0022] The common data set may be arranged to comprise at least one shared 
key between the access network and the access network application or the core 
network application, said shared key being possibly arranged to generate the 
required session key or keys. 

[0023] The access network may comprise at least one of; a CDMA2000 
network; a UMTS network; a IEE802.11 network; a GSM network; a DAMPS 
network; a AMPS network, a WCDMA network. 
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[0024] The core network application may be an IP multimedia service (IMS). 

[0025] The module may comprise a Universal Integrated Circuit Card. 

[0026] According to a second aspect of the present invention there is provided a 
communications system comprising: a plurality of access networks; at least one 
user equipment arranged for use in at least one of said access networks; and a 
user identification module for use in said at least one user equipment, said module 
being arranged to enable a plurality of access network applications to run. 

[0027] The plurality of access network applications may run in parallel. 

[0028] The module may be arranged to enable at least one core network 
application to run, and wherein said module may be arranged to enable said core 
network application to run in parallel with at least one of said plurality of access 
network applications. 

[0029] The user identification module may be arranged to generate 
authentication data for said core network and said access network, wherein said 
authentication data for said core network and for said access network is possibly 
further arranged to be dependent on a common data set. 

[0030] The common data set may comprise data for use in encryption. 

[0031] The common data set may be arranged to comprise at least one shared 
key between the access network and the access network application or the core 
network application, said shared key preferably being arranged to generate the 
required session key or keys. 

[0032] The access network may comprise at least one of; a CDMA2000 
network; a UMTS network; a IEE802.11 network; a GSM network; a DAMPS 
network; a AMPS network, a WCDMA network. 

[0033] The core network application may be an IP multimedia service (IMS). 
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[0034] The module may comprise a Universal Integrated Circuit Card. 

[0035] According to a third aspect of the present invention there is provided a 
method for operating a user identification module for user equipment for use in an 
access network, comprising the step of: enabling a plurality of access network 
applications to run. 

[0036] The step of enabling a plurality of access network applications to run 
may comprise; enabling a first access network application to run, enabling a 
second access network application to run, wherein said first and second access 
network applications are enabled to run in parallel. 

[0037] The method may further comprise the step of enabling at least one core 
network application to run, wherein said step of enabling a plurality of access 
network applications and said step of enabling at least one core network to run 
are arranged to enable said at least one core network application to run in parallel 
with at least one of said plurality of access network applications. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0038] These and other features, aspects, and advantages of embodiments of 
the present invention will become apparent with reference to the following 
description in conjunction with the accompanying drawings. It is to be understood, 
however, that the drawings are designed solely for the purposes of illustration and 
not as a definition of the limits of the invention, for which reference should be 
made to the appended claims. 

[0039] Figure 1 shows a simplified schematic view of a mobile communication 
system; 

[0040] Figure 2 shows a partially sectioned schematic view of a mobile user 
equipment; 

[0041] Figure 3 shows a prior art 3GPP Release5 logical UICC; 
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[0042] Figure 4 shows a prior art tree structure of the data stored in the R-UIM; 

[0043] Figure 5 shows a schematic view of the data structure within an 
enhanced UICC according to a preferred embodiment; 

[0044] Figure 6 shows a schematic view of a data tree structure within the 
enhanced UICC according to a preferred embodiment; 

[0045] Figure 7 shows a schematic view of the relationships between primitives 
on the within the enhanced UICC according to a preferred embodiment; and 

[0046] Figure 8 shows a view of the security mechanisms capable of being 
employed using the enhanced UICC in one or more preferred embodiments. 

DETAILED DESCRIPTION 

[0047] Figure 1 depicts a schematic view of a mobile communication system 99. 
The system can be divided, in order to simplify the understanding of the system, 
between the elements forming the radio access network (RAN) 51 and the 
elements forming the core network (CN) 53. 

[0048] The RAN 51 shown in figure 1 comprises: a plurality of network 
controllers 4,5,6; and a plurality of base stations (BS) 1,2,3. Figure 1 also shows 
user equipment (UE) 7 connecting to the RAN 51. Although only one user 
equipment is shown for simplicity, a mobile communication system comprises 
many user equipment terminals. User equipment can also be known as mobile 
devices, mobile stations, and mobile communications devices. The user 
equipment 7 shown in figure 1 is shown as a mobile communications device or 
mobile telephone. User equipment can also be such devices as personal digital 
assistants (PDA) with transceiver capability or personal computers with 
transceiver capability. The user equipment 7 transmits and receives using 
wireless communications transceivers to communicate with the base stations. In 
some embodiments of the present invention the user equipment are capable of 
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transmitting and receiving communications directly and without recourse to the 
base stations. In other embodiments of the present invention the user equipment 
is capable of communicating with more than one base station. 

[0049] The base stations (BS) 1 , 2 and 3, transmit to and receive from the user 
equipment communications data. In some embodiments of the present invention 
the base stations 1,2,3 are capable of transmitting and receiving communications 
or signalling data between each other. Base stations 1,2,3 are also known as 
base transceiver stations (BTS). Each base station 1,2,3 is connected to a radio 
network controller (RNC) 4, 5 and 6. 

[0050] The Radio Access Network in figure 1 shows, user equipment 7 
wirelessly receiving and transmitting signals from and to at least one of the base 
stations 1, 2 and 3. Each base station and its respective RNC forms a radio 
access network (RAN). 

[0051] A 3G radio access network (RAN) 51 connects to an appropriate core 
network (CN) 53. The core network 53 comprises entity or entities which handle 
data through the network. Examples of such are a serving general packet radio 
service support node (SGSN). The core network 53 further comprises entities to 
set-up, control or audit the flow of data, these entities have not been shown in 
detail in figure 1 . An example of an appropriate control entity is the call state 
control function (CSCF). 

[0052] In Figure 1, the CN is shown comprising an access gateway (AGW) 8 
and other core network control elements 9 responsible for switching and routing 
calls and data connections to other external networks. 

[0053] The access gateway in some embodiments of the core network is a 
gateway GPRS support node (GGSN). 

[0054] The call state control function entities may provide different functions 
such as a proxy state control function (P-CSCF), interrogating call state control 
function (l-CSCF), and/or serving call state control function (S-CSCF). It shall be 
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appreciated that sometimes the CSCFs may be referred to as the call session 
control functions. The serving call state control function forms the entity the 
subscriber needs to be registered at in order to be able to request for a service 
from the communication system. In addition to the serving control entity, the user 
may need to be associated with one or more proxy and interrogating control 
entities. 

[0055] With reference to figure 2, a schematic view of a partially sectioned 
image of mobile user equipment 10 as can be used in embodiments of the 
invention is shown. The exemplifying user equipment 10 is shown to comprise an 
antenna element 11, a display 12, a series of control buttons on a keypad 13, a 
processor entity 14, a memory 15, and a user identity module 16. 

[0056] The antenna element 1 1 is used to wirelessly receive signals from and 
transmit signals to base stations of a mobile communication network. 

[0057] The display 12 displays images and other visual information for the user 
of the mobile user equipment 1 0. 

[0058] The operation of the mobile user equipment 10 may be controlled by 
means of control buttons 1 3 on the keypad thereof. 

[0059] Furthermore, the mobile user equipment 10 is provided with a processor 
entity 14, a memory means 15 and a user identity module 16. The processor and 
memory means of the user equipment may be used in the embodiments of the 
present invention. More particularly, the processor may be used for the required 
identification and selection processes. 

[0060] The user identity module 16 provides the means for the user equipment 
to provide the authentication of the user and also provide encryption for 
communication between the user equipment and the base station in order to 
prevent communication between the two from being intercepted in an easily 
understandable manner. In some user equipment the user identity module 16 is 
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removable. The user identity module 16 in some user equipment is known as a 
universal integrated circuit card (UICC). 

[0061] Figure 3 depicts a prior art 3GPP Release 5 logical UICC. 

[0062] In the standards published by the standards groups ETSI and 3GPP, the 
universal integrated circuit card UICC 100 is defined in terms of its physical and 
logical characteristics (ETSI TS 102 221), and its interfacing with user equipment 
(3GPP TS 31.101) for providing the security and identification attributes as 
defined in the universal subscriber identity module (USIM) 101 in a universal 
mobile telecommunications system (UMTS) (3GPP TS 31.102) and also the 
security and identification attributes as defined in the IP multimedia services (IMS) 
identity module (ISIM) 103 (3GPP TS 31.103). All four documents are hereby 
incorporated by reference. 

[0063] Figure 3 shows the UICC 100 comprising a series of generic UICC 
applications and variables such as #authentication() and #long-term-key. The 
UICC further comprises USIM 101 and ISIM 103 functional entities. 

[0064] The USIM functional entity 101 comprises files containing USIM 
applications and files containing USIM specific data, as well as files containing 
USIM specific information data. In figure 3 the first division shows the title of the 
entity (USIM), the second division shows the USIM specific data (for example the 
files -security-attributes and -other-UMTS-specific-attributes are shown), the third 
division shows the USIM applications (for example the applications #Read- 
Attribute() and #Write-Attribute() are shown). 

[0065] The ISIM functional entity 103 comprises files containing ISIM 
applications and files containing ISIM specific data. In figure 2 the first division 
shows the title of the entity, the second division the ISIM specific data (for 
example the data within the file -Integrity-key) and the third division shows the 
ISIM applications (for example the application #Read-ciphering-key() is shown). 
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[0066] The UICC can contain other applications, not included in Figure 3. 

[0067] Figure 4 shows the prior art tree structure of the Removable User 
Identification Module (R-UIM) 200 as can be used to provide authentication and 
security information in the CDMA2000 telecommunications system. As described 
previously the R-UIM system adopted the physical and electrical specifications of 
GSM SIM. The GSM SIM specification is defined in the document GSM 11.11 and 
is hereby incorporated by reference. While the logical structure for data storage in 
the R-UIM 200 is similar to GSM Subscriber Identity Module (SIM), comprising the 
files: master file (MF3f00), and the directory files (DF), telecom file (DF 7f10), the 
GSM Evolution file (DF 7f20), the TDMA file (DF 7f24), the PCS 1900 file (DF 
5f40) and the CDMA file (DF 7f25). 

[0068] The file structure of the R-UIM is also similar to that provided by the GSM 
SIM. The master file has a directory containing the directory files, telecom, GSM 
Evolution, TDMA, and CDMA files, and the GSM Evolution file having a directory 
containing the directory file PCS 1900. Further each of the directory files can 
further comprise directory files or elementary files (EF), these further directory and 
elementary files are not shown in figure 4. The elementary files, as described in 
document 3GPP2 C.S0023-A, available on the web at address 
http://www.3app2.ora/Public html/specs/C.S0023-A vl.O.pdf . and hereby 
incorporated by reference, contain data used in the operation of the applications 
described by the directory files. 

[0069] The major difference between the GSM SIM and the R-UIM is the 
requirement to handle CDMA2000 data, for example identification and 
subscription information. The standards required in CDMA2000 therefore define 
the directory file (DF) CDMA. Thus the CDMA2000 operation owns and controls 
its "directory file" (DF). The CDMA2000 directory file "DF 7F25" 225 stores 
information for the CDMA family of standards (for example the CDMA standards 
IS-95, IS-2000). As discussed previously the structure of the R-UIM is capable of 
only supporting one application at a time, for example if the R-UIM supports a 
CDMA2000 application using the master file, and the CDMA2000 directory file it is 
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unable to support a further application. In the CDMA2000 directory files or 
dependent elementary files no attributes or methods are defined for IMS and 
therefore it is not possible to run IMS and CDMA2000 applications concurrently. 

[0070] With reference to figure 5 an embodiment of the present invention 
showing the data structure of a user identity card that may be used for parallel 
access and also via at least two access systems to a service via a core network of 
the communication system is shown. In the embodiment described below, a 
conventional user identity module is modified so that the IMS application (ISIM) is 
totally decoupled from the IP connectivity application, UMTS (USIM). 

[0071] Figure 5 shows the data structure of a removable user identification 
module for use in CDMA2000 networks as well as for use in UMTS networks. The 
R-UIM in this embodiment of the present invention comprises an UICC 300. The 
data structure of the UICC according to embodiments of the present invention 
differs from that in prior art UlCCs for use in UMTS networks only. The UICC in 
embodiments of the present invention can comprise either zero, one, or more IMS 
core network application. In the embodiment of the present invention shown in 
figure 5 the UICC comprises a single ISIM application 301. 

[0072] The UICC further comprises in embodiments of the present invention a 
number of IP connectivity applications. This number may in embodiments of the 
present invention range from Zero to n IP connectivity applications, where n is a 
natural integer value. In the embodiment shown in figure 5 the UICC comprises 
two IP connectivity applications, a CDMA2000 application 303 (for connection to a 
CDMA2000 network) and a USIM application 305. In some embodiments of the 
invention the USIM application can be used for connection to a UMTS access 
point, or a WLAN (Wireless Local Area Network). The UICC in some 
embodiments of the present invention further comprise a number of other non- 
mobile communications applications. These non-mobile communication 
applications are not shown in figure 5, but are known in the art to include such 
applications as mobile banking, mobile commerce, or a fragment of computer 
code such as a JAVA applet run on the machine reading the card. 
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[0073] In some embodiments of the present invention the security attributes and 
mechanisms used in the telecommunications connectivity are defined in the 
application itself. In such embodiments of the present invention the security 
attributes and mechanisms from the applications can override the one defined for 
the IP connectivity. This differs from the prior art as experienced in some access 
networks where the use of a removable device in user equipment is only optional. 
In such user equipment the identity of the user and the security attributes and 
mechanisms are embedded in the user equipment and thus can not be 
considered to be separable. 

[0074] This embodiment allows the complete separation between IP 
connectivity and security information. For example, if in the embodiment shown in 
figure 5 the ISIM application 301 uses the security mechanism to exchange the 
generation of the authentication keys, and the exchange of these keys between 
the terminal and the network known as Authentication and Key Agreement (AKA) 
for mutual authentication, the IP connectivity application (ISIM) can use, for 
example, a separate security mechanism known as Cellular Authentication and 
Voice Encryption (CAVE). 

[0075] Prior art CDMA2000 user equipment (UE), for example mobile phones, 
contain CDMA2000 information and specific security and authentication 
algorithms (methods) with which the user equipment connected to the CDMA2000 
network. The user equipment incorporating embodiments of the present invention 
and may alternatively choose to operate in the CDMA2000 network environment 
in one of the following ways: 

[0076] 1. To use the information defined on the UICC (card) as featured in 
embodiments of the invention only for allowing the mobile to connect to the IMS. 
In other words to use the information stored in the ISIM application; or 

[0077] 2. To add IMS information and specific methods from the information 
defined on the UICC to the information already stored in the UEs; or 
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[0078] 3. To derive ISIM attributes (such as the domain and the Ids of the 
users) from current information stored either on the user equipment or on the 
UICC (card). 

[0079] In order to be capable of implementing embodiments of the present 
invention on the UICC new Elementary Files are created to support the ISIM 
feature. In this embodiment two Elementary files: EF Long-term Key (K) and EF 
CSKN are created. EF Long-term Key, and EF CSKN contain data enabling the 
user equipment to access the IP system over the CDMA2000 network. 

[0080] In some embodiments of the present invention the UICC may comprise 
within the ISIM application, an authentication method (algorithm). This 
authentication method is designated in some embodiments of the present 
invention to be, IMS Authentication and Key Agreement (AKA), and is provided in 
embodiments of the invention when the IP connectivity is not provided by an 
UMTS network. In such embodiments of the present invention, only the 
applications accessing the UMTS network are enabled to use the same 
authentication algorithm, with applications using the alternative network enabled 
to use the same or alternative authentication methods. 

[0081] In a further embodiment of the invention the UICC supporting 
CDMA2000 access further includes an ADF (Application Dedicated File) 
CDMA2000 in the EF directory of the UICC. 

[0082] With respect to Figure 6, the data tree structure of a preferred 
embodiment of the UICC 400 incorporating cdma2000 access is shown. Where 
there is a relationship between the data tree structure of figure 6 and the logical 
structure as shown in figure 5, the relationship has been marked by a dashed box 
and labelled. The data tree shows the master file 401. The master file, as defined 
in ETSI TS 102 221, is implicitly selected and becomes the current directory when 
the user equipment containing the UICC is switched on or reset. The user 
equipment can then select any other file contained on the UICC by using a select 
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command in order to read the relevant information to implement the application to 
be run. In a preferred embodiment of the present invention there are three 
elementary files at the same level as the master file. The three elementary files 
are EF Preferred Languages EF PL 411, EF Integrated Circuit Card Identification 
EFiccd 409, and EF Directory EF D ir.451. The combination of these elementary 
files and the master file are the equivalent to the UlCC-application 300. The EF 
Preferred Languages contains language codes, which are defined in order of 
preference. The EF Integrated Circuit Card Identification provides an unique 
identification value for each of the UlCCs. The EF Directory consists of one or 
more records with each record holding a single entry. Each entry in the EF 
Directory is a data object. The data object identifies the application identifiers 
(AIDs) and the application labels on the UICC (the AIDs of 3GPP applications are 
defined in ETSI TS 101 220, the document is hereby incorporated by reference). 

[0083] In a first embodiment of the present invention the UICC comprises at 
least two application dedicated files (ADFs). A first type of the at least two 
application dedicated files are those applications relating to access to a 
communications network. The first type, shown in figure 6 as ADF^-m contain 
directory and elementary files containing data and applications in order that the 
user equipment can access at least one communication network. In one 
embodiment of the present invention one of these ADF applications is the 
CDMA2000 ADF. Each of the communication ADFs and their associated directory 
and elementary files are the equivalent of the applications shown in figure 5 
relating to the network applications 303, 305. 

[0084] In other embodiments other UMTS networks are supported by the UICC 
comprising additional ADFs. In some embodiments of the invention the network 
accessed is selected from the user equipment. 

[0085] The second type of application dedicated files are the IM Services 
Identity Module (ISIM) 405 ADFs. In the embodiment shown in figure 6 one 
ADFisim is shown. In alternative embodiments more than one IM services identity 
module is available . The ADFisim 405 is shown in further detail to comprise a 
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series of elementary files, the EF Ciphering and Integrity Keys for IMS (ADF Ke ys) 
413, the EF IMS private user identity (EFimpi) 415, the EF Home Network Domain 
Name (EF Dom ain) 417, the EF IMS public user identity (EF| MPU ) 419, the EF 
Administrative Data (EF AD ) 421, and the EF Access Rule Reference (EF ARR ) 423. 
The IM services identity module ADFs are equivalent and their associated 
directory and elementary files are the equivalent to the ISIM applications 301. 

[0086] The EF Key s 413 file is the file which contains the ciphering key CK, the 
integrity key IK and the key set identifier KSI for the IP multimedia subsystem. The 
EFimpi 415 is the file containing the private user identity of the user. The EF DO main 
417 is the file containing the home operator's network domain name, in other 
words the simple internet protocol uniform resource locator (SIP URI). The EFimpu 
419 is the file containing one or more public SIP Identities of the user, in other 
words the SIP URIs by which other parties know the subscriber. The EF A d 421 is 
the file containing information concerning the mode of operation according to the 
type of ISIM, such as normal (used by IMS subscribers for IMS operations), type 
approval (allowing specified use of the user equipment during type approval 
procedures), or manufacturer specific (to allow the user equipment to perform 
specific automatic testing). The EF A d is the file containing information providing an 
indication of whether some user equipment features are to be activated during 
normal operation. The EF ARR 423 is the file containing the access rules for files 
located under the ISIM ADF in the UICC. 

[0087] Although not shown in the figure 6, the equivalent functionality to that 
provided by the DF CDMA in figure 4 is found in embodiments of the present 
invention as an Elementary File (EF) under the ADF CDMA. 

[0088] In further embodiments of the present invention the functionality carried 
out by EFs in the prior art are carried out in embodiments of the present invention 
as EFs located under the ADF referenced to CDMA2000. 
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[0089] With reference to Figure 6 the CDMA2000 ISIM as featured in the data 
structure of the embodiment shown is close to the 3GPP ISIM which is defined in 
the standard reference document 3GPP TS 31.103. 

[0090] In embodiments of the present invention it is therefore possible to store 
the following information in the UICC: 

[0091] 1. One IM Private Identity (IMPI) as a Network Access Identifier (NAI) 
formatted according to RFC 2486 (Request for Comments) by the Internet 
Engineering Task Force (IETF). This document is herein incorporated by 
reference. It is assigned by the home network operator, and is used for 
Authentication, Authorisation, Administration and Accounting purposes; 

[0092] 2. One or several IM Public Identity (IMPU) formatted as a Simple 
Internet Protocol (SIP) Uniform Resource Locator (URL) according to RFC2543 or 
RFC2396 or E.164 number, as is known in the art. The IMPU is used to initiate 
communications with other users. The user can have more than one but only one 
is stored to ISIM; 

[0093] 3. Home Network Domain Name to identify the Interrogating Call State 
Function (l-CSCF); 

[0094] 4. Sequence number checking in the context of the IMS domain; or 

[0095] 5. Key (K), a long term private key stored in both the ISIM and the 
CDMA2000 access network (home network), used for mutual authentication 
between the MS and IMS and for deriving at least one session key, e.g., ciphering 
or integrity keys used during the SIP session. 
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[0096] In some embodiments of the present invention the Sequence number 
and the Key information is not stored in the UICC. 

[0097] With reference to Figure 7, the flow of data during exchange and 
modification of primitives between the applications are shown. Primitives are 
fragments of computer code capable of being interpreted by a microprocessor 
such as that within the user equipment. These fragments of computer code are 
the building blocks used to provide application functionality. A type of primitives, 
the Security primitives, can for instance control encryption, key exchange, hash 
functions, and digital signatures. 

[0098] Primitives used by applications can be designated as being "Common", 
in other words are accessible by all applications. An example of a "Common" 
primitive is the SELECT primitive, which is used to access record fields owned by 
applications. The opposite to the "Common" primitive is the "Private" primitive, 
where only one or a select number of applications have access to these 
primitives. Figure 7 shows a schematic of a view of the embodiment of the 
present invention where the whole group of primitives or algorithms are grouped 
together 501 and stored in the UICC. The CDMA application 500 as also shown in 
figure 5 as the application box 303, has access to the security primitives which it is 
allowed access 503. The ISIM application 520 as also shown in figure 5 as the 
application box 301, has access to the security primitives which it is allowed 
access 505. Thus for example, security primitives for authentication/authorisation 
are different for the ISIM application 520 and the CDMA2000 application 510. 

[0099] In some embodiments of the present invention primitives supported by 
the prior art R-UIM are available only to the cdma2000. 

[0100] Embodiments of the present invention as described above are therefore 
capable of being configured in order that the security mechanisms are flexible and 
therefore effectively open. Thus for instance if a new application uses a stored 
security mechanism or primitive, the application can be allowed to access the 
primitive and thus use the security method. For example if the IMS security 
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solution for the 3GPP2 key exchange application supports AKA then the copying 
of the AKA solution provided by the 3GPP AKA key exchange can be carried out. 

[0101] Furthermore if IMS has to use the access network mechanism for 
confidentiality protection allows the user equipment to operate with both the 
network access confidentiality protection, which in the case of CDMA2000 radio 
interface confidentiality mechanism CAVE, and the IMS system AKA. This is not 
possible to implement in the prior art. 

[0102] With reference to figure 8 a series of possible security mechanisms 
which can be implemented by embodiments of the present invention are shown. 

[0103] The lower half of the figure 650 show network elements which go to 
create the communications network. The user equipment (or terminal) and the 
UIM 601, the access network 603 & 635, the visited network 637, and the home 
network 639. As is known in the art the R-UIM and the user equipment are 
connected via a wireless communications link to the radio network within the 
access network 603. The access network 603 typically consists of the base 
transceiver station which communicates with the user equipment over the wireless 
communications link. The access network 603 is typically connected to such 
network elements as an authentication, authorisation, and accounting node (AAA) 
607, which provides the network with a record of who is accessing it and what is 
being accessed, and/or a mobile switching centre (MSC) 605 (which in some 
networks is also known as a home location register (HLR) server). 

[0104] If the user equipment is making a communications link via a visited 
network 637 (such as the case where the user equipment is making a call from a 
foreign country), the communications link is passed though an access gateway 
(AGW) 609, and a proxy session control manager (P-SCM) 613. The P-SCM 
connects to the home network 639 and the Interrogating session control manager 
(l-SCM) 615 and the serving session control manager (S-SCM) 617. 
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[0105] The visited network 637 can further consist of a further authentication, 
authorisation, and accounting node (AAA) 611 connected to the access gateway 
(AGW) 609. In the home network 639 The S-SCM 617 can connect to a further 
authentication, authorisation, and accounting node (AAA) 619. 

[0106] The upper half 600 of figure 8 shows the various possible security 
mechanisms which can be implemented by embodiments of the present invention 
with respect to the coverage of the security mechanism. 

[0107] A first pair of security mechanisms are used between the user equipment 
and the access network. The first access network authentication 623 uses the IS- 
41 solution as is known in the art, and involves the mobile switching centre. In 
other embodiments of the present invention an alternative access network 
authentication 621 can be used. The alternative authentication uses a Point-to- 
Point protocol and involves the authentication, authorisation, and accounting node 
(AAA) 607. The alternative access network authentication is particularly efficient in 
embodiments operating within enhanced CDMA2000 systems such as the 1x 
evolved data-only networks (1xEV-DO) 

[0108] The second pair of security mechanisms shown in figure 8 perform 
packet network authentication, in other words authentication from the user 
equipment to a core network (which is shown in figure 8 as the visited network 
627). The first alternative 627 is the packet network authentication using Point-to- 
Point protocol (PPP) and involves the use of the visited networks authentication, 
authorisation, and accounting node (AAA) 611. The authentication protocol used 
in this embodiment of the invention also uses the access gateway/packet data 
serving node (PDSN) 609. The authentication protocol used in embodiments of 
the invention carrying out such an authentication can be the challenge- 
handshake-authentication protocol (CHAP) or password authentication protocol 
(PAP). The first packet network authentication method is used where the URI is a 
simple Internet Protocol (IP) address. 
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[0109] In embodiments of the present invention a second packet network 
authentication method is used there the URI is a mobile internet protocol address 
(MoblP). In the second packet network authentication method 625, the 
authentication is carried out over a Mobile internet protocol (MoblP) link, and is 
typically between the user equipment and the authentication, authorisation, and 
accounting node (AAA) 611. In such an embodiment the actual authentication is 
controlled by the MoblP. In other embodiments of the present invention the 
authentication involves the use of the access gateway (AGW)/packet data serving 
node (PDSN) 609. 

[01 10] In a further example of the flexibility of the present invention the preferred 
embodiment can also carry out multimedia domain (MMD) network authentication. 
MMD authentication uses a session initiation protocol registration to the home 
network's authentication, authorisation, and accounting node 619. In detail, MMD 
authentication uses the AKA method used in session initiation protocol 
registration, and relies on the home network authentication, authorisation, and 
accounting node or database as a data storage. 

[0111] The demand for a solution which supports both multiple applications in 
the cdma2000 access network and an IMS core network application, i.e. a SIM 
structure which is network agnostic is met by embodiments of the present 
invention. The use of a modified UICC carrying out the smart-card functionality 
enables a network agnostic subscriber identity module to be implemented and 
used in user equipment to be able to handle multiple simultaneous and 
independent applications to be carried out by the same user equipment. 

[0112] Furthermore embodiments of the present invention when implemented 
along with IMS core network applications on the UICC for 3GPP networks enables 
access, in the sense of providing authentication information, to different access 
networks such as the following: 
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a) Universal Mobile Telecommunications System (UMTS) where 
the application is called USIM. For more information, please refer to 
3GPP TS 23.111: USIM and IC card requirements (hereby incorporated 
by reference); and 

b) Code Division Multiple Access 2000 (cdma2000), where the 
user equipment is able to read a UICC card. This application contains 
the necessary information (including security) and specific algorithms 
for authentication to cdma2000 networks, and security protection. 

[0113] The following advantages are therefore provided by the preferred 
embodiment of the present invention: 

a) One of the applications, IM (IP-Based Multimedia) Services 
Identity Module (ISIM), can have its own identity structure independently 
of the cdma2000 authentication mechanism. For example, cdma2000 
may use CAVE as access, and IMS Authentication & Key Agreement 
(AKA) for the IMS. 

b) There is support of IMS in cdma2000 for: 

(i) Security: network access application may provide 
authentication as well as integrity protection for IMS users in 
the same way as 3GPP users; and 

(ii) Storage of IMS information. 

c) There is flexibility as multiple applications can be run in parallel 
and can share information, and/or algorithms. 

d) IMS Roaming is facilitated between 3GPP & 3GPP2. 

e) Evolution of applications on the UICC is facilitated. 
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[0114] Although described in the context of particular embodiments, it will be 
apparent to those skilled in the art that a number of modifications and various 
changes to these teachings may occur. Thus, while the invention has been 
particularly shown and described with respect to one or more preferred 
embodiments thereof, it will be understood by those skilled in the art that certain 
modifications or changes, in form and shape, may be made therein without 
departing from the scope and spirit of the invention as set forth above and claimed 
hereafter. 



